We have added a few Test accounts as resources in Clarity application. However, when we login via SSO from our domain Okta through those new IDs, it is redirecting us to the login.broadcom.com page rather than our Clarity Dev instance. All test users are getting redirected when trying to authenticate from the Okta server using Chrome browser.

Release : 16.0.2

Component : Clarity SaaS Operations SSO

Please verify that your Okta IDP is sending the assertion to Broadcom with the correct values for NameID and Email in the SAML assertion that is sent to Broadcom. At times, some users may have a different value for their username or email address in the Okta IDP in contrast to what is in Clarity. Support recommends have your IDP Admin run a SAML trace via a browser extension in Chrome.

Collect SAML trace using KB: https://knowledge.broadcom.com/external/article?articleId=175051

SAML trace scenario:

We are able to see an error message in the SAML trace but it was this line that made IDP Admin look back in our Okta setup:

<saml2:NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\">[email protected]</saml2:NameID>

- SAML was pointing to an incorrect email address.
- SAML trace identified OKTA was not passing the right email. Once that was corrected, accounts now able to login to Clarity Non-prod environment.